Upgrade ossec to v3.0.0 #3724
Upgrade ossec to v3.0.0 #3724
Conversation
emkll
force-pushed
the
3701-bump-ossec-3.0.0
branch
3 times, most recently
from
76ec489 to
146b813
Compare
emkll
force-pushed
the
3701-bump-ossec-3.0.0
branch
from
146b813 to
f7eb0d3
Compare
emkll
changed the title
emkll
force-pushed
the
3701-bump-ossec-3.0.0
branch
from
f7eb0d3 to
f531d03
Compare
|
So far I'm testing on an upgrade scenario path... I'm actually installing from a i tried to reboot that service and i get Ya want to sync on this next week? I'd love to take a more active role in ushering this ticket thru if ya want some help. Maybe I just did something silly though -- so I'm also happy to get yelled at next week :) |
msheiny
force-pushed
the
3701-bump-ossec-3.0.0
branch
from
f531d03 to
6a562fd
Compare
|
rebased on develop |
|
After spending some time debugging, it seems like the agent and server debs that are compiled with the build-ossec-deb-pkg role (https://github.com/freedomofpress/securedrop/blob/develop/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml#L95) now provide an empty /var/ossec/etc/client.key, which causes the ossec agent to fail startup. This was not the case with debs build from upstream, nor with version 2.8.2 debs. This is also why the clean install works, but the upgrade scenario does not, as the client key is overwritten in the configuration. |
|
@conorsch do you have any clue as to where the contents of /var/ossec/ comes from on this line ?https://github.com/freedomofpress/securedrop/blob/develop/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml#L95 ? The contents of this are likely overwriting the client.keys EDIT: Not sure how I missed it, but https://github.com/freedomofpress/securedrop/blob/develop/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml#L84 installs ossec on the build host and then contents of /var/ossec are moved into the build dir. Removing the empty client.keys appears to do the trick ! |
emkll
force-pushed
the
3701-bump-ossec-3.0.0
branch
2 times, most recently
from
27ac0f0 to
b8f97d2
Compare
Ossec 3.0.0 contains several bug and security fixes, as such we should upgrade securedrop ossec agents and servers to this release.
As of 2.9.3, ossec source tarballs are now signed with a GPG key, instead of providing checksums. The following should now verify source code tarballs when packages are built/
- Generate and use shared secret which is required for agent registration - agent-auth now returns 0 when registration failure occurs
Due to issues with ossec 2.8.2+ and disabling of the ipv6 stack, name lookups can't `getaddrinfo: Name or service not known`. Using ip addresses in lieu of aliases sidesteps the issue. - Since ossec.conf is not templated, securedrop-ossec agent and server will replace these values as part of the postinst.
An empty client.keys was overwriting /var/ossec/etc/client.keys with an empty one, breaking the registration between client and server. Removing the empty client.keys prior to building will ensure the keys are preserved during an upgrade.
emkll
force-pushed
the
3701-bump-ossec-3.0.0
branch
from
b8f97d2 to
bddc30d
Compare
That's right, and it's specifically the
Glad to hear it! Given the cycles we're spending on pulling off the upgrade, now seems a fine time to bump mention of #2140, in case it would reduce our maintenance burden. |
|
Thanks for the help @msheiny, this is ready for re-review: based on my testing in prod VMs the bug you experienced should be fixed, emails now flow in. |
|
@emkll is there much if any change so far to the user experience (email formatting, sensitivity of triggers etc) compared to 2.8.2? |
|
@zenmonkeykstop: good question. The emails look the same, and based on < 24h of observations, the alerts appear to be the same as before, but we should keep an eye out for new alerts and update the docs if necessary. Release notes state that were some changes in 2.8.3 for Apache/Postfix, but a closer look at changes in https://github.com/ossec/ossec-hids/tree/master/etc/rules indicates they are minor. |
There was a problem hiding this comment.
Looking good on a second pass of an upgrade test! 🎉
Confirmed services were up and running on 3.x on both servers.. connection maintained .. and alerts were being processed by tailing the logs. I also rebooted boxes and confirmed behavior remained.
Doing scrach test now.
Status
Ready for review
Fixes #3701:
Updates ossec to v3.0.0, modifies build logic to use GPG signatures for verifying source.
Testing
Clean install scenario
./var/ossec/bin/ossec-control statusreturns running for all except ossec-execd./var/ossec/bin/list-agents -con mon server returns the app agentUpgrade scenario
./var/ossec/bin/ossec-control statusreturns running for all except ossec-execd./var/ossec/bin/list-agents -con mon server returns the app agentDeployment
Updates to securedrop-ossec-{agent,server} and ossec-{agent,server} will be served by apt and will be upgraded automatically.
Checklist
If you made changes to the server application code:
make ci-lint) and tests (make -C securedrop test) pass in the development containerIf you made changes to
securedrop-admin:make -C admin test) pass in the admin development containerIf you made changes to the system configuration:
If you made non-trivial code changes:
If you made changes to documentation:
make docs-lint) passed locally